Xhy's Blog

Reverse and Think

0%

在Linux和Windows上安装r2frida

发表于

概述

之前了解到r2frida这一工具,由于环境问题,并未安装成功。

Kali LinuxWindows上安装r2frida成功,记录一下。

Linux安装

环境

系统:Kali Linux 2021.2
软件:Node.js 12.22.5Frida 15.1.3
安装目标:Radare2 5.4.2r2frida 5.4.4

准备

radare2

1
2
git clone https://github.com/radareorg/radare2
radare2/sys/install.sh

r2frida

可直接到Release页下载,以下是自行编译流程

安装依赖
1
sudo apt install -y make gcc libzip-dev nodejs npm curl pkg-config git
更换npm源(可选)
1
npm config set registry http://registry.npmmirror.com
克隆仓库
1
git clone https://github.com/nowsecure/r2frida
修改

编辑Makefile,修改frida_version为frida安装版本

编译
1
2
sudo make
sudo make install

安装成功将提示:

1
2
mkdir -p "//usr/local/lib/radare2/5.4.3"
cp -f io_frida.so* /"/usr/local/lib/radare2/5.4.3"

运行r2 frida://?显示帮助,测试插件是否安装成功。

Windows安装

环境

系统:Windows 10 20H2 x64
软件:Visual Studio 2019Node.js 14.17.4Cygwin 3.2.0(记得选择wget)、Frida 15.1.2
(提前安装好以上环境,VS版本至少为2015)

安装目标:Radare2 5.4.2r2frida 5.4.4

准备

radare2

前往Releases · radareorg/radare2下载radare2-5.4.2-w64.zip,解压到任意目录。
..\radare2\bin目录添加到PATH环境变量后,执行r2 -v查看版本号

r2frida

可直接到Release页下载,以下是自行编译流程

更换npm源(可选)

1
npm config set registry http://registry.npmmirror.com

克隆仓库

1
git clone https://github.com/nowsecure/r2frida

修改

编辑build.bat,修改frida_version为frida安装版本,修改R2_BASEradare2安装目录(不需要bin

..\radare2\include\libr\r_cons.hUTF-8 with BOM编码重新保存(防止编译出错)

编译

cmd中打开该目录,使用vcvarsall.bat初始化环境,然后执行安装脚本

1
2
"[Visual Studio安装位置]\VC\Auxiliary\Build\vcvarsall.bat" x64
.\build.bat install

安装成功将提示:

1
2
3
Installing...
Copying 'io_frida.dll' to C:\Users\xhy\.local\share\radare2\plugins
        1 file(s) copied.

运行r2 frida://?显示帮助,测试插件是否安装成功。
结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
r2 frida://[action]/[link]/[device]/[target]
* action = list | apps | attach | spawn | launch
* link   = local | usb | remote host:port
* device = '' | host:port | device-id
* target = pid | appname | process-name | program-in-path | abspath
Local:
* frida://?                        # show this help
* frida://                         # list local processes
* frida://0                        # attach to frida-helper (no spawn needed)
* frida:///usr/local/bin/rax2      # abspath to spawn
* frida://rax2                     # same as above, considering local/bin is in PATH
* frida://spawn/$(program)         # spawn a new process in the current system
* frida://attach/(target)          # attach to target PID in current host
USB:
* frida://list/usb//               # list processes in the first usb device
* frida://apps/usb//               # list apps in the first usb device
* frida://attach/usb//12345        # attach to given pid in the first usb device
* frida://spawn/usb//appname       # spawn an app in the first resolved usb device
* frida://launch/usb//appname      # spawn+resume an app in the first usb device
Remote:
* frida://attach/remote/10.0.0.3:9999/558 # attach to pid 558 on tcp remote frida-server
Environment:
  R2FRIDA_SAFE_IO                  # Workaround a Frida bug on Android/thumb
  R2FRIDA_DEBUG                    # Used to debug argument parsing behaviour
  R2FRIDA_AGENT_SCRIPT             # path to file of the r2frida agent

使用

(连接帮助见上文)

获取usb device id(可选)

执行frida-ls-devices,获取usb device id
然后启动app:

1
r2 frida://launch/usb/[设备id]/[包名]

设备id为空时,连接第一个usb设备

查询帮助

r2frida commands are prefixed with =! or :.

附加上app后,如果要使用r2frida的命令,需要在前面增加=!:
如:=!?:?(获取帮助)
在命令后加问号,可查询命令帮助,如:/?ps?

过滤输出

使用~过滤输出结果,类似于grep
例如::il~libart.so (仅输出libart.so地址)

查看信息

:i?: 查看帮助

:i: 查询信息
:ic: 列出所有类
:icl: 列出已加载的类
:icm: 列出类方法
:il: 列出模块
:iE 模块名: 列出模块导出符号

搜索字符串

:/?:查看帮助

:/ 关键字: 在内存中搜索关键字
:/x 16进制: 在内存中搜索十六进制数据

打印内存、反汇编

p?:查看帮助 (这是r2的命令,不需要冒号)

s 地址: 设置当前地址

x: hexdump当前地址的内存
x @ 地址: hexdump指定地址的内存(其他命令同理)
ps: 打印字符串
pd: 反汇编

动态调试

:d?: 查看帮助

:dm: 列出内存区域(类似于maps文件)
:dt: 跟踪地址调用
:dtf: 跟踪地址调用,并格式化输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Usage: dtf [format] || dtf [addr] [fmt]
  ^  = trace onEnter instead of onExit
  +  = show backtrace on trace
 p/x = show pointer in hexadecimal
  c  = show value as a string (char)
  i  = show decimal argument
  z  = show pointer to string
  w  = show pointer to UTF-16 string
  a  = show pointer to ANSI string
  h  = hexdump from pointer (optional length, h16 to dump 16 bytes)
  H  = hexdump from pointer (optional position of length argument, H1 to dump args[1] bytes)
  s  = show string in place
  O  = show pointer to ObjC object
Undocumented: Z, S
 dtf    trace format

加载Frida脚本

:.?: 查看帮助

:. 脚本路径: 加载js脚本

其他命令

cl清屏

参考

r2frida使用
Android动态调试-R2frida和lldb
RADARE2+FRIDA=R2FRIDA Best Dynamic Debugging Tool
vs编译 error C2001: 常量中有换行符